home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware Overload Trio 2
/
Shareware Overload Trio Volume 2 (Chestnut CD-ROM).ISO
/
dir33
/
hr_5199.zip
/
ENCRYP_S
< prev
Wrap
Text File
|
1994-07-22
|
5KB
|
110 lines
Subject: EFF Reactions to Encryption Standards & Procedures Act (Draft)
-----------------------------------------------------------------------
The staff of the House Science, Space, and Technology Committee has just
released a draft bill which would create a somewhat more public process for
establishment of Clipper-like escrowed encryption systems. Entry of the
Congress into this policy debate is a welcome change after 18 months of
one-sided Executive Branch edicts. However, considerable changes would be
required before the legislation would meet EFF's goals for a truly open
federal encryption policy which preserves the right of private individuals
to use any form of encryption, without restriction or penalty.
Despite its promise of an open process, this bill is by no means a
repudiation of the Clipper program, In fact, it enshrines in legislation
several key aspects of the Clipper policy. However, inasmuch as the bill
seeks to establish NIST authority to develop escrow encryption systems, it
raises real questions about whether NIST or other agencies have any
authority now to spend federal funds on escrow encryption systems.
Overview of the bill:
The bill directs the Department of Commerce, through the National Institute
of Standards and Technology, to issue escrowed encryption standards. The
standards issued would be subject to public comment and afford the
opportunity for judicial review under the terms of the Administrative
Procedures Act. Similar procedures created for the designation of
government key escrow agents.
Several aspects of the Clinton Administration's approach to cryptography
policy are accepted by this bill:
1. Absolute preservation of law enforcement and national security access
By this bill, any encryption standards adopted must "preserve the
functional ability of the government to interpret, in a timely manner,
electronic information that has been obtained pursuant to an electronic
surveillance permitted by law." Sec 31(b)(2)(E).
2. Weak privacy protection
The bill specifies that standards adopted should advance the development of
the NII, but offers only qualified support for privacy. Standards should
are only required to go so far as to not "diminish existing privacy
rights...." Sec 31(b)(2)(D).
3. Increased role for National Security Agency in civilian privacy and
security matters
The bill establishes a permanent role for the National Security Agency in
the creation of privacy and security standards for use by the private
sector. Currently, under the Computer Security Act, NIST is encouraged to
consult with the NSA on matters of federal systems security and to draw
"computer system technical security guidelines developed by the National
Security Agency to the extent that the National Bureau of Standards
determines that such guidelines are consistent with the requirements for
protecting sensitive information in Federal computer systems." This would
explicitly extend the NSA role from federal systems to systems intended for
public, civilian use. As such, this is a major change in the Computer
Security Act.
Issues to be addressed in draft:
To create a truly open policy process, to protect privacy, and to ensure
the development of the best privacy-protecting technology possible, the
bill should be augmented with the following provisions:
1. Voluntary standards
Any legislation on encryption standards must guarantee that no one will be
required to use such standards, nor will use of other encryption standards
be curtailed by law. Furthermore, federal encryption policy should
guarantee that access to government programs, opportunities, or even the
ability to communicate with the government, should never be conditioned on
the use of any escrowed encryption standard. From the first announcement
of the Clipper program, the Clinton Administration has assured the public
that escrowed encryption would remain voluntary. This promise must be
included in legislation.
2. Open design process
The draft bill does call for an open process for formation of encryption
standards. Legislation should make explicit that an open process means
that no classified algorithms or technologies may be included. Though
there was public comment on the Escrowed Encryption FIPS (the Clipper
Federal Information Processing Standard), public process in that case was
meaningless because the core technology remained behind a veil of secrecy.
3. Remedies for negligence or abuse by escrow agents
As drafted, the proposal drastically limits the liability of federal escrow
agents for all but "willful" abuse by federal employees. The escrow
agents must also be responsible for unauthorized release of keys because of
the actions of private individuals or because of negligent practices by
government agents.
4. Exploration of voluntary, private sector escrow agents
Finally, if the government is going to adopt a government-based escrow
system, it should also be required to explore the possibility of private
party escrow systems based on open standards.
The full text of the draft bill is available from EFF's archives:
ftp.eff.org, /pub/EFF/Policy/Crypto/encryp_stds_procedures_94_bill.draft
gopher.eff.org, 1/EFF/Policy/Crypto/encryp_stds_procedures_94_bill.draft
http://www.eff.org/pub/EFF/Policy/Crypto/encryp_stds_procedures_94_bill.draft